Unusual Command Execution from Web Server Parent Process on Linux

This detection rule identifies unusual command execution originating from web server parent processes on Linux hosts, a common tactic used in web shell attacks. Adversaries exploit vulnerabilities in web servers such as Apache and Nginx to execute arbitrary commands, blending malicious activity with legitimate server processes. The rule focuses on identifying unusual patterns and contexts, such as unexpected working directories or command structures, to flag potential compromises. This technique allows attackers to maintain persistence, execute commands, and potentially establish command and control within the compromised system. The rule is designed to detect such activities by monitoring process execution events and comparing them against a baseline of normal web server behavior.

Attack Chain

1. An attacker exploits a vulnerability in a web application running on a Linux server.
2. The attacker gains initial access and uploads a web shell, a malicious script (e.g., PHP, Python) that allows remote command execution.
3. The web server (e.g., Apache, Nginx) spawns a process to execute the web shell.
4. The attacker uses the web shell to execute commands, such as spawning a reverse shell or listing files.
5. A shell process (e.g., bash, sh) is created as a child of the web server process.
6. The attacker uses the shell to perform reconnaissance, such as identifying user accounts and network configurations.
7. The attacker attempts to establish persistence by creating a cron job or modifying system files.
8. The attacker uses the compromised server as a command and control node to communicate with other systems or exfiltrate data.

Impact

A successful web shell attack can lead to complete compromise of the web server and potentially other systems on the network. Attackers can steal sensitive data, modify web pages, or use the server to launch further attacks. The impact can range from data breaches and defacement to denial-of-service attacks and lateral movement within the network. While this specific detection rule has low severity, failing to detect and remediate these attacks can have significant consequences.

Recommendation

• Deploy the Sigma rule Detect Unusual Shell Spawned by Web Server to your SIEM and tune for your environment to identify suspicious command execution from web server processes.
• Investigate alerts triggered by the Detect Web Server Child Process Executing Shell with Command Line Arguments Sigma rule to identify potentially compromised web servers.
• Review the process command lines from the alerts and exclude specific working directories like /var/www/dev or /var/www/test from the rule to reduce false positives.
• Implement additional monitoring and alerting for similar activities, focusing on unusual command executions and web server behavior as mentioned in the Response and Remediation section of the rule documentation.